CVE-2022-31097

CVE-2022-31097

Name

CVE-2022-31097

Description

Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/
CONFIRM	https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f
MISC	https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/
MISC	https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/
Third Party Advisory	https://security.netapp.com/advisory/ntap-20220901-0010/

Type

URI

MISC

https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/

CONFIRM

https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f

MISC

https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/

MISC

https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/

Third Party Advisory

https://security.netapp.com/advisory/ntap-20220901-0010/

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:grafana:grafana::::::::`	grafana	>= 9.0.0	< 9.0.3
`cpe:2.3:a:grafana:grafana::::::::`	grafana	>= 8.5.0	< 8.5.9
`cpe:2.3:a:grafana:grafana::::::::`	grafana	>= 8.4.0	< 8.4.10
`cpe:2.3:a:grafana:grafana::::::::`	grafana	>= 8.0.0	< 8.3.10

CPE URI

Source package

Min version

Max version

cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*

grafana

>= 9.0.0

< 9.0.3

cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*

grafana

>= 8.5.0

< 8.5.9

cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*

grafana

>= 8.4.0

< 8.4.10

cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*

grafana

>= 8.0.0

< 8.3.10

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
grafana	edge-community	9.0.3-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	fixed
grafana	edge-community	8.5.3-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	8.3.6-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	8.3.4-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	8.3.2-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	8.3.1-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	8.2.4-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	3.22-community	9.0.3-r0	None	fixed
grafana	3.22-community	8.5.3-r0	None	possibly vulnerable
grafana	3.22-community	8.3.6-r0	None	possibly vulnerable
grafana	3.22-community	8.3.4-r0	None	possibly vulnerable
grafana	3.22-community	8.3.2-r0	None	possibly vulnerable
grafana	3.22-community	8.3.1-r0	None	possibly vulnerable
grafana	3.22-community	8.2.4-r0	None	possibly vulnerable
grafana	3.21-community	9.0.3-r0	None	fixed
grafana	3.20-community	9.0.3-r0	None	fixed
grafana	3.19-community	9.0.3-r0	None	fixed
grafana	3.18-community	9.0.3-r0	None	fixed
grafana	3.17-community	9.0.3-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages